Computer Security

Computer Security - From Basic to Pro Hacker (6th Semester BCA DAITM) 23rd June 2008
Computer Security
From Basics to Pro Hacker
By Jit Ray Chowdhury

Roll 04 BCA 6th SEMESTER
Dinabandhu Andrews Institute of Technology and Management
Email ID:-jit.ray.c@gmail.com Contact No:- 9831546599
Jit Ray Chowdhury 1 http://jit.ray.c@googlepages.com

Your computer could be watching your

every move!
Image Source - http://www.clubpmi.it/upload/servizi_marketing/images/spyware.jpg

Introduction
Basic protection for Dummies

Virus!!
They don’t just attack you computer but

actually first they attack you as mostly
they need some user interaction to get
your PC infected and for that they play
with your mind and fool you to do so.

Protecting against Virus.
For protecting your PC from virus you

not only need to have a updated
antivirus and firewall installed but also
be aware of the ways virus fools you.
Example:- like you commonly run external

scripts send by virus on your scrapbook.

Must Know About
E
A program that monitors your actions. While they are sometimes
R
A
like a remote control program used by a hacker, software
W
companies to gather data about customers. The practice is
Y
SP
generally frowned upon.
Definition from: BlackICE Internet Security Systems -
http://blackice.iss.net/glossary.php
An apparently useful and innocent program containing additional

J A N
O
TR RSE
hidden code which allows the unauthorized collection,
exploitation, falsification, or destruction of data.
H O
Definition from: Texas State Library and Archives Commission - http://www.tsl.state.tx.us/ld/pubs/compsecurity/glossary.html

Symptoms
• Targeted Pop-ups SPYWARE

• Slow Connection SPYWARE / TROJAN
• Targeted E-Mail (Spam) SPYWARE
• Unauthorized Access TROJAN HORSE
• Spam Relaying TROJAN HORSE
• System Crash SPYWARE / TROJAN
• Program Customisation SPYWARE

Spyware-Network
Overview
• Push
•Advertising
•Pull
•Tracking
•Personal data
Image Source – Image derived and produced by; Andrew Brown, Tim Cocks and Kumutha Swampillai, February 2004.

Virus, Worm, Trojan

Horse, Spyware
• Virus cannot replicate themselves but worm
and Trojan can do that.
• A virus cannot be spread without a human
action such as running an infected file or
program but worm and Trojan have the
capabilities to spread themselves automatically
from computer to computer through network
connection.
• A virus do not consume system memory but

worm consumes too much system memory
and network bandwidth.
• Trojans are used by malicious users to access
your computer information but viruses and
worms can’t do so, they simply infect your
computer.
• Spyware collect data from your computer
without consent for Precision Marketing by
various companies

Hackers
The Attitude to the Infinity

What is Hacker?
• It’s about technical adeptness , being delight in
solving problems and overcoming limits.
• There is a community of expert programmers and

networking wizards that traces its history back
through decades to the first time-sharing
minicomputers and the earliest ARPAnet
experiments. The members of this culture
originated the term ‘hacker’. Hackers built the
Internet. Hackers made the Unix operating system
what it is today. Hackers make the World Wide
Web work. If you are part of this culture, if you
have contributed to it and other people in it know
who you are and call you a hacker, you're a
hacker.

• The hacker mind-set is not confined to this

software-hacker culture. There are people who
apply the hacker attitude to other things, like
electronics or music — actually, you can find it at
the highest levels of any science or art. Software
hackers recognize these kindred spirits elsewhere
and may call them ‘hackers’ too — and some claim
that the hacker nature is really independent of the
particular medium the hacker works in. But in the
rest of this document we will focus on the skills
and attitudes of software hackers, and the
traditions of the shared culture that originated the
term ‘hacker’.

http://jit.ray.c@googlepages.coom
• There is another group of people who loudly call

themselves hackers, but aren't. These are people
(mainly adolescent males) who get a kick out of
breaking into computers and freaking the phone
system. Real hackers call these people ‘crackers’
and have nothing to do with them. Real hackers
mostly think crackers are lazy, irresponsible, and
not very bright, and object that being able to break
security doesn't make you a hacker any more than
being able to hotwire cars makes you an
automotive engineer. Unfortunately, many
journalists and writers have been fooled into using
the word ‘hacker’ to describe crackers; this
irritates real hackers no end.
• The basic difference is this: hackers build things,
crackers break them.

The Hacker Attitude

• Don’t learn to Hack, Hack to Learn.
• The world is full of fascinating problems
waiting to be solved.
• No problem should ever have to be solved
twice.
• Boredom and drudgery are evil.
• Attitude is no substitute for competence.

Don’t learn to Hack,

Hack to Learn
Hackers solve problems and build things, and they
believe in freedom and voluntary mutual help.. You
also have to develop a kind of faith in your own
learning capacity — a belief that even though you
may not know all of what you need to solve a
problem, if you tackle just a piece of it and learn
from that, you'll learn enough to solve the next
piece — and so on, until you're done.

The world is full of fascinating

problems waiting to be solved
Being a hacker is lots of fun, but it's a kind of
fun that takes lots of effort. The effort takes
motivation. Successful athletes get their
motivation from a kind of physical delight in
making their bodies perform, in pushing their
own physical limits. Similarly, to be a hacker
you have to get a basic thrill from solving
problems, sharpening your skills, and
exercising your intelligence. If you aren't the
kind of person that feels this way naturally,
you'll need to become one in order to make it
as a hacker. Otherwise you'll find your hacking
energy is drained by distractions like money,
and social approval.

No problem should ever

have to be solved twice.
• Creative brains are a valuable, limited
resource. They shouldn't be wasted on re-
inventing the wheel when there are so many
fascinating new problems waiting out there
• To behave like a hacker, you have to believe

that the thinking time of other hackers is
precious — so much so that it's almost a moral
duty for you to share information, solve
problems and then give the solutions away
just so other hackers can solve new problems
instead of having to perpetually re-address old
ones

Boredom and drudgery

are evil.
• Hackers (and creative people in general)
should never be bored or have to drudge at
stupid repetitive work, because when this
happens it means they aren't doing what only
they can do — solve new problems. This
wastefulness hurts everybody. Therefore
boredom and drudgery are not just unpleasant
but actually evil .
• To behave like a hacker, you have to believe

this enough to want to automate away the
boring bits as much as possible, not just for
yourself but for everybody else (especially
other hackers).
Attitude is no substitute
for competence.
• To be a hacker, you have to develop some of these
attitudes. But copying an attitude alone won't make you
a hacker. Becoming a hacker will take intelligence,
practice, dedication, and hard work.
• Therefore, you have to learn to distrust attitude and

respect competence of every kind. Hackers won't let
posers waste their time, but they worship competence.
• The hacker attitude is vital, but skills are even more

vital. Attitude is no substitute for competence, and
there's a certain basic toolkit of skills which you have to
have before any hacker will dream of calling you one.
This toolkit changes slowly over time as technology
creates new skills and makes old ones obsolete.

Basic Hacking Skills

• Learn how to program.
• Get one of the open-source Unixes and learn
to use and run it.
• Learn how to use the World Wide Web and
write HTML.
• If you don't have functional English, learn it.

Class of Hackers
• Black hats
Individuals with extraordinary computing skills, resorting to
malicious or destructive activities. Also known as ‘Crackers.’
• Gray Hats
Individuals who work both offensively and defensively at
various times.
• White Hats
Individuals professing hacker skills and using them for
defensive purposes. Also known as ‘Security Analysts’.

• Script Kiddies
Person, normally … not technologically sophisticated,
who randomly seeks out a specific weakness over the
internet to gain root access to a system without really
understanding what he is exploiting because the
weakness was discovered by someone else.
• Phreak
Person who breaks into … telecommunications systems.
• Ethical Hacker
May be Independent or maybe group of consultants -
Claims to be knowledgeable about black hat activities.

Responsibility of Hackers
• Write open-source software

• Help test and debug open-source
software
• Publish useful information
• Serve the hacker culture itself

Disciplined Life of Hackers

Again, to be a hacker, you have to enter the
hacker mindset. There are some things you can do
when you're not at a computer that seem to help.
They're not substitutes for hacking (nothing is) but
many hackers do them, and feel that they connect
in some basic way with the essence of hacking.
• Read science fiction. Go to science fiction

conventions (a good way to meet hackers and
proto-hackers).
• Develop your appreciation of puns and wordplay

• Train in a martial-arts form. The kind of mental

discipline required for martial arts seems to be similar in
important ways to what hackers do. The most popular
forms among hackers are definitely Asian empty-hand
arts such as Tae Kwon Do, various forms of Karate,
Kung Fu, Aikido, or Ju Jitsu. The most hackerly martial
arts are those which emphasize mental discipline,
relaxed awareness, and control, rather than raw
strength, athleticism, or physical toughness.
• Study an actual meditation discipline. The perennial

favorite among hackers is Zen. Other styles may work
as well, but be careful to choose one that doesn't
require you to believe crazy things.
• Develop an analytical ear for music. Learn to appreciate

peculiar kinds of music. Learn to play some musical
instrument well, or how to sing.

• The more of these things you already do, the more

likely it is that you are natural hacker material. Why
these things in particular is not completely clear, but
they're connected with a mix of left- and right-brain
skills that seems to be important; hackers need to be
able to both reason logically and step outside the
apparent logic of a problem at a moment's notice.
• Work as intensely as you play and play as intensely as

you work. For true hackers, the boundaries between
"play", "work", "science" and "art" all tend to disappear,
or to merge into a high-level creative playfulness. Also,
don't be content with a narrow range of skills. Though
most hackers self-describe as programmers, they are
very likely to be more than competent in several related
skills — system administration, web design, and PC
hardware troubleshooting are common ones. A hacker
who's a system administrator, on the other hand, is
likely to be quite skilled at script programming and web
design. Hackers don't do things by halves; if they invest
in a skill at all, they tend to get very good at it.

Hacking
The Professionalism

Why this knowledge is

necessary?
• Internet has grown very fast and security has lagged
behind.
• In 1988 a "worm program" written by a college student
shut down about 10 percent of computers connected to the
Internet. This was the beginning of the era of cyber
attacks.
• In India there is a demand for about 80,000 security
professionals where as only 22,000 are available and
security specialists markets are expanding unlike other
technology professions.

95% of Web Apps Have

Vulnerabilities
• Cross-site scripting (80 percent)
• SQL injection (62 percent)
• Parameter tampering (60 percent)
• Cookie poisoning (37 percent)
• Database server (33 percent)
• Web server (23 percent)
• Buffer overflow (19 percent)

Cross-site scripting

SQL injection
• Unvalidated input: “SQL Injection” example
username= admin
password= anything’ OR ‘x’=‘x
• Original Query
SELECT count(*) FROM userinfo WHERE name=‘@username’
and pass=‘@password’
• Database will execute
SELECT count(*) FROM userinfo WHERE name=‘admin’ and

pass=‘anything’ OR ‘x’=‘x’
Got logged in successfully!

Phases Involved in
Ethical Hacking
• Footprinting
• Scanning
• Enumeration
• Gaining Access
• Escalating privilege
• Pilfering
• Covering tracks
• Creating back doors
• Denial of service

Footprinting
• Objective
 Gathering Target Address range, namespace, acquisition and other
information gathering essential for attack.
• Techniques
 Domain name lookup
 Whois
 Nslookup
 Sam Spade
 ARIN (American Registry of
Internet Numbers)

Scanning
• Objective
 Bulk target assessment and identification of listing services focuses
the attacker’s attention on the most promising avenues of entry
• Techniques
 Ping sweep
 TCP/UDP port scan
 OS Detection

Enumeration
• Objective
 More intrusive probing now begins as attackers begin identifying valid
user accounts or poorly protected resource shares
• Techniques
 List user accounts
 List file shares
 Identify applications

Gaining Access
• Objective
 Enough data has been gathered at this point to make an informed
attempt to access the target
• Techniques
 Password eavesdropping
 File share brute forcing
 Password file grab
 Buffer overflows

Pilfering
• Objective
 The information gathering process begins again to identify
mechanisms to gain access to trusted systems
• Techniques
 Elevate trusts
 Search for clearnet passwords

Covering Tracks
• Objective
 Once total ownership of the target is secured, hiding this fact from
system administrators becomes paramount, lest they quickly end the
romp
• Techniques
 Clear logs
 Hide tools

Creating Back Doors

• Objective
 Trap doors will be laid in various parts of the system to ensure that
privileged access is easily regained at the whim of the intruder
• Techniques
 Create rogue user accounts
 Schedule batch jobs
 Infect startup files
 Plant remote control services
 Install monitoring mechanisms
 Replace apps with Trojans

Denial of Service
• Objective
 If an attacker is unsuccessful in gaining access, they may use readily
available exploit code to disable a target as a last resort
• Techniques
 SYN flood
 ICMP techniques
 Identical SYN requests
 Overlapping fragment/offset bugs
 Out of bounds TCP options (OOB)
 DDoS

Finally
There is always more to learn like Evading
IDS, Firewalls, Honey pots,Buffer Overflows,
Cryptography, Sniffers and protective
measures to be taken to defend against all
these. But it’s time for me to leave you on
your own and take up the responsibility and
learn it up yourself if your are passionate
enough to pursue all this.

Thank You
Questions??

Bibliography / Links
• [0]“A Brief History of Hackerdom” - http://catb.org/~esr/writings/hacker-history/hacker-history.html
• [1] "Spyware" Definition - BlackICE Internet Security Systems - http://blackice.iss.net/glossary.php
• [2] "Trojan Horse" Definition
– Texas State Library and Archives Commission - http://www.tsl.state.tx.us/ld/pubs/compsecurity/glossary.html
• [3] Zeinalipour-Yazti, D. “Exploiting the Security Weaknesses of the Gnutella Protocol”, University of California.
• [4] Joshi, R. “Network Security Applications”, Merchantile Communications, CANIT Conference 2003.
• [5] CERT Advisory CA-1999-02 http://www.cert.org/advisories/CA-1999-02.html
• [6] Spyware Guide – http://www.spyware-guide.com
• [7] Trojan Horses - http://www.mpsmits.com/highlights/trojan_horses.shtml
• [8] Trojan Horse - Back Orifice - http://www.nwinternet.com/~pchelp/bo/bo.html
• [9] NetBus - http://www.nwinternet.com/~pchelp/nb/netbus.htm
• [10] BBC News - http://news.bbc.co.uk/1/hi/technology/3153229.stm
• [11] Wired News – “Judge takes bite out of Gator” www.wired.com/news/politics/0,1283,53875,00.html
• [12] Tracking Cookies – Demonstration at http://www.irt.org/instant/chapter10/tracker/index4.htm
• [13] BonziBuddy - http://www.bonzi.com/bonzibuddy/bonzibuddyfreehom.asp
• [14] Unwanted Links (Spyware) – http://www.unwantedlinks.com
• [15] Andersen, R. "Security Engineering", First Edition, J. Wiley and Sons, 2001.
• [16] Scacchi, W. “Privacy and Other Social Issues”, Addison-Wesley, 2003.
– http://www.ics.uci.edu/~wscacchi/Tech-EC/Security+Privacy/Privacy.ppt

Computer Security

Enviado por

Dados do documento

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Computer Security

Enviado por

Direitos autorais:

Formatos disponíveis

Computer Security - From Basic to Pro Hacker (6th Semester BCA DAITM) 23rd June 2008

By Jit Ray Chowdhury

Jit Ray Chowdhury 1 http://jit.ray.c@googlepages.com

Your computer could be watching your

Jit Ray Chowdhury 2 http://jit.ray.c@googlepages.com

Jit Ray Chowdhury 3 http://jit.ray.c@googlepages.com

They don’t just attack you computer but

Jit Ray Chowdhury 4 http://jit.ray.c@googlepages.com

Protecting against Virus.

For protecting your PC from virus you

Example:- like you commonly run external

Jit Ray Chowdhury 5 http://jit.ray.c@googlepages.com

Must Know About

An apparently useful and innocent program containing additional

Jit Ray Chowdhury 6 http://jit.ray.c@googlepages.com

• Targeted Pop-ups SPYWARE

Jit Ray Chowdhury 7 http://jit.ray.c@googlepages.com

Jit Ray Chowdhury 8 http://jit.ray.c@googlepages.com

Virus, Worm, Trojan

• A virus do not consume system memory but

Jit Ray Chowdhury 10 http://jit.ray.c@googlepages.com

Jit Ray Chowdhury 11 http://jit.ray.c@googlepages.com

• There is a community of expert programmers and

Jit Ray Chowdhury 12 http://jit.ray.c@googlepages.com

• The hacker mind-set is not confined to this

Jit Ray Chowdhury 13 http://jit.ray.c@googlepages.com

• There is another group of people who loudly call

Jit Ray Chowdhury 14 http://jit.ray.c@googlepages.com

The Hacker Attitude

Jit Ray Chowdhury 15 http://jit.ray.c@googlepages.com

Don’t learn to Hack,

Jit Ray Chowdhury 16 http://jit.ray.c@googlepages.com

The world is full of fascinating

Jit Ray Chowdhury 17 http://jit.ray.c@googlepages.com

No problem should ever

• To behave like a hacker, you have to believe

Jit Ray Chowdhury 18 http://jit.ray.c@googlepages.com

Boredom and drudgery

• To behave like a hacker, you have to believe

• Therefore, you have to learn to distrust attitude and

• The hacker attitude is vital, but skills are even more

Jit Ray Chowdhury 20 http://jit.ray.c@googlepages.com

Basic Hacking Skills

Jit Ray Chowdhury 21 http://jit.ray.c@googlepages.com

Jit Ray Chowdhury 22 http://jit.ray.c@googlepages.com

Jit Ray Chowdhury 23 http://jit.ray.c@googlepages.com

• Write open-source software

Jit Ray Chowdhury 24 http://jit.ray.c@googlepages.com

Disciplined Life of Hackers

• Read science fiction. Go to science fiction

• Develop your appreciation of puns and wordplay

Jit Ray Chowdhury 25 http://jit.ray.c@googlepages.com

• Train in a martial-arts form. The kind of mental

• Study an actual meditation discipline. The perennial

• Develop an analytical ear for music. Learn to appreciate

Jit Ray Chowdhury 26 http://jit.ray.c@googlepages.com

• The more of these things you already do, the more

• Work as intensely as you play and play as intensely as

Jit Ray Chowdhury 27 http://jit.ray.c@googlepages.com

Jit Ray Chowdhury 28 http://jit.ray.c@googlepages.com

Why this knowledge is

Jit Ray Chowdhury 29 http://jit.ray.c@googlepages.com

95% of Web Apps Have

Jit Ray Chowdhury 30 http://jit.ray.c@googlepages.com